Method for distributes the encrypted key in wireless lan

ABSTRACT

A method for distributing encryption keys in WLAN that combines a key distribution process with an authentication process of mobile hosts and utilizes an authentication server or a wireless gateway to manage key distribution so that mobile hosts can roam in a scope larger than the coverage area of the key management server. Because the key distribution does not transmit the key, which is not encrypted via the air interface, the method ensures the key is safe. In addition, the method can be used under different WLAN protocols. Because the AP does not need to manage user information, the method simplifies AP structure, and thus lowers the cost.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to communication between APs (AccessPoint) in WLAN (Wireless Local Area Network) and any mobile host,particularly to a method for distributing encryption keys.

2. Description of the Related Art

WLAN transfers data, voice, and video signals through wireless channels.Compared with traditional networks, WLAN is easy to install, flexible touse, economical, and easy to extend, etc., and is favored by more andmore users.

The coverage area of WLAN is called as service area, which is usuallydivided into Basic Service Area (hereinafter referred as BSA) andExtended Service Area (hereinafter referred as ESA); wherein BSA refersto the communication coverage area determined by transceivers ofindividual units in the WLAN and the geographic environment and isusually called as cell, the scope of which is generally small; themethod shown in FIG. 1 is usually used to extend the coverage area ofWLAN, i.e., the BSA is connected to the backbone network (usually awired LAN) via the APs and the wireless gateway, so that mobile hosts(MHs) in the BSA are connected to the backbone network via the APs andthe wireless gateway to constitute a ESA.

Compared with wire transmission, the confidentiality of wirelesstransmission is lower; therefore, to ensure communication securitybetween the APs of the cell and the mobile hosts, information should beencrypted with keys before transmitted. When a mobile host moves acrosscells or powers on, it searches for the local cell, registers itself tothe AP of the cell, and obtains information related with the cell;therefore, the encryption communication between the mobile host and theAPs will be restricted to some extent. In detail, for example, when themobile host MH12 moves from cell 1 into cell 2, if AP11 and AP12 is inthe coverage area of the same key management server, then the encryptioncommunication between mobile host MH12 and AP11 can be smoothlytransited to between MH12 and AP21; however, if AP11 and AP21 aremanaged by different key management servers, then encryptioncommunication between MH12 and AP21 can not be realized directly in cell2 because AP21 can not obtain the communication key of MH12. However, ifthe mobile host MH12 sends its key to AP21 through the wireless channelwithout encryption, the system will be vulnerable because the key may beintercepted and deciphered easily.

As described above, it is obvious that the method for distributingencryption keys in the prior art will result in restrictions toencryption communication when the mobile host roams across cells.

BRIEF SUMMARY OF THE INVENTION

The present invention provides a new method for distributing encryptionkeys in WLAN.

In a method for distributing encryption keys in WLAN according to thepresent invention, said WLAN comprises an AP and a plurality of mobilehosts storing identification information, said mobile hosts communicatewith said AP through wireless channels, said AP and the external networkconnect with the authentication device which authenticates said mobilehosts; said authentication device stores identification information ofall mobile hosts, said method comprises the following steps:

(1) a mobile host sending an authentication request containingidentification information to the authentication device for identityauthentication;

(2) the authentication device authenticating the mobile host accordingto identification information contained in the authentication request,if the authentication fails, the authentication device sending anACCEPT_REJECT message to the mobile host via the AP; if theauthentication succeeds, the authentication device sending key-relatedinformation M1 to AP and sending an message comprising ACCESS_ACCEPTinformation to the mobile host via the AP; if containing key-relatedinformation M2, said message being encrypted;

(3) AP obtaining the key from the key-related information M1 sent fromthe authentication device, and the mobile host obtaining the key fromsaid message sent from the authentication device via the AP.

As shown above, the method of the present invention combines keydistribution process with authentication process of the mobile hosts andutilizes an authentication device to manage key distribution, so thatmobile hosts can roam in a scope larger than the coverage area of thekey management server. Because the key distribution does not involvetransmitting the key which is not encrypted via the air interface, themethod ensures the key is safe. In addition, said method does not dependon specific authentication modes, so it can be used under differentkinds of WLAN protocols. Finally, because AP does not need to manageuser information, the method simplifies AP structure, and thus lowersthe cost.

BRIEF DESCRIPTION OF THE DRAWINGS

Various advantages, characteristics, and features of the presentinvention can be understood better through description of theembodiments hereunder with reference to the attached drawings, wherein:

FIG. 1 is a schematic diagram of connection between a WLAN and a wiredbackbone network via the AP and a wireless gateway;

FIG. 2 a is a schematic diagram of the encryption communication methodin WLAN according to an embodiment of the present invention;

FIG. 2 b is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention;

FIG. 2 c is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention;

FIG. 2 d is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention;

FIG. 3 a shows an example of the dynamic negotiation process for thekeys in WLAN;

FIG. 3 b shows another example of the dynamic negotiation process forthe keys in WLAN;

FIG. 3 c shows another example of the dynamic negotiation process forthe keys in WLAN; and

FIG. 3 d shows another example of the dynamic negotiation process forthe keys in WLAN.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereunder the method for distributing encryption keys in WLAN accordingto the embodiments of the present invention is described in detail withreference to FIG. 1 and FIG. 2 a to 2 d.

As shown in FIG. 1, cell 1 to 3 include AP11, AP21 and AP31, and severalmobile hosts MH12 to MH33 respectively, each of the mobile hosts storesidentity information I and property information P and communicates withthe AP in the corresponding cell through a wireless channel; the APs areconnected to a wired backbone network 4 via wireless gateways 51 to 53;the authentication server (not shown) in the backbone network containsidentity information I and property information P of all mobile hosts inall cells, and it can also obtain user lists storing identityinformation I and property information P of mobile hosts from externaldevices; therefore the authentication server can authenticate any mobilehost according to the identity information I or the identity informationI stored in the user lists. It should be noted that the identityinformation I and the property information P of mobile hosts can also bemanaged by wireless gateways 51 to 53, therefore the mobile hosts can beauthenticated by the wireless gateways. In addition, the mobile hostscan also be authenticated by the authentication server and the wirelessgateways interoperably. For those skilled in the art, authentication ofmobile hosts is the prior art and can be implemented in various ways,and said methods are only a part of them; for convenience, any devicewhich can authenticate the mobile hosts will be considered as anauthentication device.

FIG. 2 a shows the initial key distribution and the encryptioncommunication between mobile host MH12 and AP21 when MH12 moves intocell 2 from cell 1.

The mobile host MH12 establishes a connection with AP21 and sends anauthentication request containing identity information to theauthentication server in the backbone network 4 for authentication viaAP21 and the wireless gateway 51. When receiving the authenticationrequest, the authentication server authenticates the mobile hostaccording to the identity information I contained in the authenticationrequest; if the identity information I is inconsistent with the storedone, the authentication server deems the mobile host as an illegal oneand rejects the authentication request, and then sends an ACCEPT_REJECTmessage to MH11 via the wireless gateway 51 and AP21; if the identityinformation I contained in the authentication request is consistent withthe stored one, the authentication server deems the mobile host as alegal one and accepts the authentication request, and then, as shown inFIG. 2 a, the authentication server searches for the correspondingproperty information P of the mobile host MH12 according to the identityinformation I and then sends it to AP21 via the wireless gateway 51.When receiving the property information P sent from the authenticationserver, AP21 sends a confirmation message back to the authenticationserver via the wireless gateway for safe receipt of the propertyinformation P and generates a key from the property information P withthe key generation algorithm. The key generation algorithm can be anykind of algorithm, and the length of the key is free. When receiving theconfirmation message from AP21, the authentication server sends anACCESS_ACCEPT message to MH21 via the wireless gateway 51 and AP21. Whenreceiving the ACCESS_ACCEPT message, the mobile host MH21 generates akey from the property information P stored in itself with the same keygeneration algorithm as the one with which AP21 generates a key, andthen encrypts data packets to be sent to AP21 with the key, and sendsthe encrypted data packets to AP21; MH21 adds an encryption identifierin the data packets when encrypting the data packets. When receiving thedata packets from MH21, AP21 detects the encryption identifier in thedata packets; if the encryption identifier is found, AP21 decrypts thedata packets with the key obtained from property information P and thekey generation algorithm, and then forwards the decrypted data packetsto the external network 4 via the wireless gateway 51; otherwise AP21directly forwards the original data packets to the external network 4via the wireless gateway 51.

FIG. 2 b is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention. Thedifference between this embodiment and that of FIG. 2 a is: in thecommunication process, the key is generated with any key generationalgorithm and then encrypted with property information P by AP21, andthen sent to MH21. When receiving the key from AP21, MH21 decrypts thekey with the property information P stored in itself, encrypts the datapackets to be sent to AP with the decrypted key and sends them to AP.MH21 also adds an encryption identifier in the data packets whenencrypting the data packets. In this case, each of the mobile hosts doesnot need to know the key generation algorithm used by AP21.

FIG. 2 c is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention. Thedifference between this embodiment and that of FIG. 2 a is: when theauthentication succeeds, the authentication server generates the keyfrom the found property information P with the key generation algorithmand then sends the key to AP21 instead of sending the propertyinformation P to AP21 to generate the key.

FIG. 2 d is a schematic diagram of the encryption communication methodin WLAN according to another embodiment of the present invention. Thedifference between this embodiment and that of FIG. 2 c is: when theauthentication succeeds, the authentication server generates the keywith the key generation algorithm and then sends the key to AP21, and atthe same time, the authentication server also sends the key encryptedwith the property information P to MH21.

It should be noted that the backbone network 4 may includes a pluralityof authentication servers, which connect with each other under certaincommunication protocols to exchange identification information of themobile hosts stored in them; so that the service area can be extendedfurther.

In above embodiments, if the mobile hosts are authenticated by thewireless gateway 51 to 53 independently, other functions ofauthentication server can also be implemented on the wireless gateways,for example, wireless gateways 51 to 53 can be configured to sendACCESS_ACCEPT message to MH21, generate the key, and send propertyinformation P to AP21, etc. Similarly, if the confirmation function isimplemented by the authentication server and the wireless gatewaysinteroperably, other functions of the authentication server can also beimplemented by the authentication server and the wireless gatewaysinteroperably. In general, all functions of the authentication servercan be implemented by the authentication device.

In above encryption communication in the WLAN, to enhance systemsecurity further, the communication key between AP and the mobile hostcan also be updated periodically or aperiodically. Hereunder severalexamples of such dynamic negotiation for keys are described withreference to FIG. 3 a to 3 d.

As shown in FIG. 3 a, in order to update the key, AP generates a randomnumber first and generates a key from the random number with any keygeneration algorithm; then AP adds the random number in the key updatemessage and then sends the message to the mobile host. When receivingthe key update message, the mobile host generates the key from therandom number contained in the key update message with the same keygeneration algorithm, encrypts the data packets to be sent to AP withthe key, and then sends the data packets to AP; when encrypting the datapackets, the mobile host still adds the encryption identifier in thedata packets and changes the value of the encryption identifier toindicate the communication key has been changed.

FIG. 3 b shows another example of dynamic negotiation for the keys. Asshown in FIG. 3 b, in order to update the key, AP generates a new key ina random way, encrypts the newly generated key with the present key, andadds the encrypted key to the key update message, and then sends themessage to the mobile host. When receiving the key update message, themobile host decrypts the new key contained in the key update messagewith the present key, encrypts the data packets to be sent to AP withthe new key, and then sends the encrypted data packets to AP; whenencrypting the data packets, the mobile host also adds the encryptionidentifier to the data packets and change the value of the encryptionidentifier to indicate the communication key has been changed.

FIG. 3 c shows another sample of the dynamic negotiation for the keys.As shown in FIG. 3 c, in order to update the key, the authenticationdevice generates a random number, generates a key from the random numberwith any key generation algorithm, and sends the random number to themobile host and sends the generated key to AP. When receiving the keyfrom the authentication device, AP sends a key update message to themobile host. When receiving the key update message and the randomnumber, the mobile host generates the key with the same key generationalgorithm, encrypts the data packets to be sent to AP with the key, andthen sends the encrypted data packets to AP; when encrypting the datapackets, the mobile host also adds the encryption identifier to the datapackets and change the value of the encryption identifier to indicatethe communication key has been changed.

FIG. 3 d shows another sample of dynamic negotiation for the keys. Asshown in FIG. 3 d, in order to update the key, the authentication devicegenerates a new key in a random way, sends the key to AP, then encryptsthe new key with the present key, and sends the encrypted key to themobile host. When receiving the unencrypted key from the authenticationdevice, AP sends a key update message to the mobile host. When receivingthe key update message and the encrypted key, the mobile host decryptsthe encrypted key with the present key to obtain a new key, encrypts thedata packets to be sent to AP with the new key, and then sends theencrypted data packets to AP; when encrypting the data packets, themobile host also adds the encryption identifier in the data packets andchange the value of the encryption identifier to indicate thecommunication key has been changed.

In above dynamic negotiation process, if AP finds the value ofencryption identifier in the data packets sent from the mobile host isnot changed after the key update message is sent, it will resend the keyupdate message and the random number or encrypted new key, till themobile host communicates with the new key.

As shown above, the key distributing method does not involve logonmanagement, authentication management, and mobile management in WLAN;therefore it can be implemented under all different kinds of WLANprotocols, including PPPoE, IEEE 802.1x, etc. To better understandingthe advantages, characteristics and object of the present invention, thekey distributing method in the embodiment of the present invention willnow be described with reference to IEEE 802.1x.

IEEE 802.1x is a commonly-used WLAN protocol, involving standards of MAClayer and physical layer, wherein the unit of data packets between APand mobile hosts is MAC frame. IEEE 802.1x messages mainly include:EAP_START, EAP_LOGOOF, EAP_REQUEST, EAP_RESPONSE, EAP_SUCCESS, EAP_FAILand EAP_KEY, which are special MAC frames because they are identified bythe Type field in MAC frame.

After establishing a connection with AP, the mobile host sends anEAP_START message to AP; when receiving the message, AP sends anEAP_REQUEST/IDENTITY message to the mobile host to request the user toinput user name and password. After the user inputs the user name andpassword, the mobile host encapsulates them in the EAP_RESPONSE/IDENTITYmessage and sends the message back to AP. AP encapsulates user name andpassword provided by the user into an ACCESS_REQUEST message and thensends the message to the authentication server; the communicationbetween AP and the authentication server complies with Radius protocol.The authentication server checks whether the user name and passwordmatch first; if not, the authentication server determines theauthentication failed and sends an ACCEPT_REJECT message to AP. Whenreceiving the message, AP sends an EAP_FAIL message to the mobile hostto reject access of the mobile host. If the authentication succeeds, theauthentication server will send an ACCESS_ACCEPT message to AP and addproperty information P corresponding to the user in the data field ofthe message. When AP receives the message, as described in above keydistributing method, the key can be generated from the propertyinformation P with a key generation. algorithm and an EAP_SUCCESSmessage is sent to the mobile host, or the key can be encrypted with theproperty information P and then sent to the mobile host in an EAP_KEYmessage. Accordingly, the mobile host can generate the key from thestored property information P with the same key generation algorithm ordecrypts the received key with the corresponding property information P.Next, the mobile host encrypts MAC frame data with the key and thensends the encrypted MAC frame data to AP; at the same time, it adds theencryption identifier in the MAC frames. Field of the frame bodycomprises IV field, data field and ICV field; especially, the IV fieldcontains a 2-bit KeyID field, which serves as the synchronization flag.Preferably, when the MAC frames are not encrypted, KeyID=0; after theencryption communication starts, KeyID is increased by 1 whenever thekey is updated, i.e., KeyID=KeyID+1; when KeyID=3, it will be reset to 1instead of 0 during the next key update operation. Therefore, when theMAC data is encrypted at the first time, the field KeyID=1 in the MACframes sent by the mobile host; when receiving the MAC frames withKeyID=1, AP determines the mobile host has used a new key and thendecrypts MAC data with said generated key, converts the MAC data intoEthernet format to forwards to the wired network. If detecting the KeyIDin MAC frames uploaded by the mobile host is still 0 after sending theEAP_KEY message, AP will resend the EAP_SUCCESS or EAP_KEY message.

In order to update the communication key dynamically, after the mobilehost logs on, AP may send the EAP_KEY message periodically (e.g., onceevery 10 minutes) or aperiodically to inform the mobile host to updatethe key. In the latest EAP_KEY message, the random number used togenerate the new key or the new key encrypted with the present key maybe included selectively. When receiving the message, the mobile host cangenerate the new key from the random number with the same key generationalgorithm or decrypts the new key with the present key. Next, the mobilehost encrypts MAC data with the new key and set KeyID=2 at the sametime. AP detects the KeyID field in MAC frames uploaded; if the KeyID isnot changed, it continues using the present key to decrypt the MAC dataand resends the EAP_KEY message at the same time; if the KeyID has beenchanged, it will use the new key to decrypt the MAC data.

1. A method for distributing encryption keys in WLAN, said WLAN havingan AP and a plurality of mobile hosts storing identificationinformation, the mobile hosts communicating with the AP through wirelesschannels, the AP and the external network connecting with theauthentication device which authenticates the mobile hosts, theauthentication device storing identification information of all mobilehosts, the method comprising the following steps: (1) a mobile hostsending an authentication request containing identification informationto the authentication device for identity authentication; (2) theauthentication device authenticating the mobile host according toidentification information contained in the authentication request, andif the authentication fails, the authentication device sending anACCEPT_REJECT message to the mobile host via the AP, and if theauthentication succeeds, the authentication device sending key-relatedinformation M1 to AP and sending a message comprising ACCESS_ACCEPTinformation to the mobile host via the AP, and if containing key-relatedinformation M2, said message being encrypted; and (3) AP obtaining thekey from the key-related information M1 sent from the authenticationdevice, and the mobile host obtaining the key from said message sentfrom the authentication device via the AP.
 2. The method fordistributing encryption keys in WLAN of claim 1 wherein said informationM1 is the corresponding property information searched by saidauthentication device according to the identification informationcontained in the authentication request, said AP obtains the key throughgenerating it from said property information with a key generationalgorithm; whereas said mobile host obtains the key through generatingit from property information stored in itself with the same keygeneration algorithm after said mobile host receives said messagecomprising ACCESS_ACCEPT information forwarded by AP.
 3. The method fordistributing encryption keys in WLAN of claim 1 wherein said informationM1 is the corresponding property information searched by saidauthentication device according to the identification informationcontained in the authentication request, said AP obtains the key throughgenerating it with a key generation algorithm; said information M2 isthe key generated and encrypted by AP with said property information andthen sent to said mobile host along with said ACCESS_ACCEPT message,said mobile host obtains the key through decrypting information M2 withsaid property information.
 4. The method for distributing encryptionkeys in WLAN of claim 1 wherein said information M1 is the key generatedfrom said property information corresponding to the identificationinformation contained in said authentication request by saidauthentication device with a key generation algorithm, said mobile hostobtains the key through generating it from said property informationstored in itself with the same key generation algorithm after receivingsaid ACCESS_ACCEPT message.
 5. The method for distributing encryptionkeys in WLAN of claim 1 wherein said information M1 and M2 are the keygenerated from said property information corresponding to theidentification information contained in said authentication request bysaid authentication device with a key generation algorithm, saidinformation M2 is encrypted with said property information and then sentto said mobile host along with said ACCESS_ACCEPT message, said mobilehost obtains the key through decrypting said information M2 with theproperty information stored in itself after receiving said ACCESS_ACCEPTmessage.
 6. The method for distributing encryption keys in WLAN of claim1 wherein when receiving data packets encrypted with a key sent from themobile host, said AP updates the key through the following steps of:(a1) said AP generating a random number and generating a new key fromsaid random number with any key generation algorithm; (b1) said APadding said random number to a key update message and then sending saidmessage to said mobile host; (c1) when receiving said key updatemessage, said mobile host generating a new key from said random numbercontained in said key update message with the same key generationalgorithm as that in step (a1); (d1) said mobile host encrypting thedata packets to be sent to AP with said new key and then sending theencrypted data packets to AP, during the encryption process, said mobilehost adding an encryption identifier to said data packets and changingthe value of said encryption identifier to indicate the communicationkey has been changed; and (e1) when receiving the data packets from saidmobile host, said AP determines whether to change the key according tovalue of said encryption identifier.
 7. The method for distributingencryption keys in WLAN of claim 1 wherein in order to achieveencryption communication with the new key, when receiving the datapackets encrypted with the key sent from said mobile host, said APupdates the key periodically or aperiodically through the followingsteps of: (a2) said AP generating a new key in any way and encryptingsaid new key with the present key; (b2) said AP adding the encrypted keyto the key update message and then sending said message to said mobilehost; (c2) when receiving said key update message, said mobile hostdecrypting the new key contained in said key update message with thepresent key so as to obtain said new key; (d2) said mobile hostencrypting the data packets to be sent to AP with said new key and thensending the encrypted data packets to AP, during the encryption process,said mobile host adding an encryption identifier to said data packetsand changing the value of said encryption identifier to indicate thecommunication key has been changed; and (e2) when receiving the datapackets from said mobile host, said AP determines whether to change thekey according to value of said encryption identifier.
 8. The method fordistributing encryption keys in WLAN of claim 1 wherein when receivingthe data packets encrypted with the key sent from said mobile host, saidAP updates the key periodically or aperiodically through the followingsteps of: (a3) said Authentication device generating a random numberwhich is used to generate a new key with the key generation algorithm,and then said authentication device sending said new key to AP, andsending said random number to said mobile host via AP; (b3) said APsending said key update message to said mobile host after receiving saidnew key; (c3) when receiving said random number from said authenticationdevice and said key update message from AP, said mobile host generatinga new key from said random number with the same key generation algorithmas that in step (a3); (d3) said mobile host encrypting the data packetsto be sent to AP with said new key and then sending the encrypted datapackets to AP, during the encryption process, said mobile host adding anencryption identifier to said data packets and changing the value ofsaid encryption identifier to indicate the communication key has beenchanged; and (e3) when receiving the data packets from said mobile host,said AP determines whether to change the key according to value of saidencryption identifier.
 9. The method for distributing encryption keys inWLAN of claim 1 wherein in order to achieve encryption communicationwith the new key, when receiving the data packets encrypted with the keysent from said mobile host, said AP updates the key periodically oraperiodically through the following steps of: (a4) said AP generating anew key in any way and encrypting said new key with the present key,then sending said new key to said AP, whereas sending the encrypted newkey to said mobile host via said AP; (b4) after receiving said new key,said AP sending a key update message to said mobile host; (c4) whenreceiving the encrypted key from said authentication device and said keyupdate message from said AP, said mobile host decrypting the encryptedkey with the present key to obtain a new key; (d4) said mobile hostencrypting the data packets to be sent to AP with said new key and thensending the encrypted data packets to AP, during the encryption process,said mobile host adding an encryption identifier to said data packetsand changing the value of said encryption identifier to indicate thecommunication key has been changed; and (e4) when receiving the datapackets from said mobile host, said AP determines whether to change thekey according to value of said encryption identifier.
 10. The method fordistributing encryption keys in WLAN of claim 1 wherein saidauthentication device is an authentication server installed in saidexternal network.
 11. The method for distributing encryption keys inWLAN of claim 6 wherein said authentication device is an authenticationserver installed in said external network.
 12. The method fordistributing encryption keys in WLAN of claim 7 wherein saidauthentication device is an authentication server installed in saidexternal network.
 13. The method for distributing encryption keys inWLAN of claim 8 wherein said authentication device is an authenticationserver installed in said external network.
 14. The method fordistributing encryption keys in WLAN of claim 9 wherein saidauthentication device is an authentication server installed in saidexternal network.
 15. The method for distributing encryption keys inWLAN of claim 1 wherein said authentication device is a wireless gatewaythat connects said AP with said external network.
 16. The method fordistributing encryption keys in WLAN of claim 6 wherein saidauthentication device is a wireless gateway that connects said AP withsaid external network.
 17. The method for distributing encryption keysin WLAN of claim 7 wherein said authentication device is a wirelessgateway that connects said AP with said external network.
 18. The methodfor distributing encryption keys in WLAN of claim 8 wherein saidauthentication device is a wireless gateway that connects said AP withsaid external network.
 19. The method for distributing encryption keysin WLAN of claim 9 wherein said authentication device is a wirelessgateway that connects said AP with said external network.
 20. The methodfor distributing encryption keys in WLAN of claim 1 wherein saidauthentication device includes said wireless gateway and saidauthentication server installed in external network.
 21. The method fordistributing encryption keys in WLAN of claim 6 wherein saidauthentication device includes said wireless gateway and saidauthentication server installed in external network.
 22. The method fordistributing encryption keys in WLAN of claim 7 wherein saidauthentication device includes said wireless gateway and saidauthentication server installed in external network.
 23. The method fordistributing encryption keys in WLAN of claim 8 wherein saidauthentication device includes said wireless gateway and saidauthentication server installed in external network.
 24. The method fordistributing encryption keys in WLAN of claim 9 wherein saidauthentication device includes said wireless gateway and saidauthentication server installed in external network.